The forums have permanently moved to forum.kirupa.com. This forum will be kept around in read-only mode for archival purposes. To learn how to continue using your existing account on the new forums, check out this thread.


Results 1 to 8 of 8

Thread: [php] Password

  1. #1

    [php] Password

    Is this password form secure? If not, what do I need to check for?
    PHP Code:
    <?php
        
    function secCode()
        {
            include_once(
    "constants.php");
            
            
    // obtain the password the user has entered
            
    $password $_POST['password'];
            
            
    // warn for incorrect password
            
    if(($password != "321498762") && (strlen($password) > 0))
                
    $wrongPW "<br /><font color=\"$WARN\">Wrong password.</font>";
            
            
    // ask for password
            
    if($password != "321498762")
            {
                echo(
    "
                    <form name=\"form\" method=\"post\" action=\"index.php?sec=admin\">
                        <p>
                            Password: 
                            <input name=\"password\" value=\"
    $password\" type=\"password\" size=\"15\" maxlength=\"15\" /> 
                            <input type=\"submit\" name=\"Submit\" value=\"Submit\" />
                        </p>
                        
    $wrongPW
                    </form>    
                "
    );
            }
            
            
    // correct password has been entered
            
    else
            {
                echo(
    success);
            }
        }
    ?>

  2. #2
    man, that's ugly. you should really try using concatenation with single quotes instead of double quotes. it prevents you from needing all those escape characters and is faster as well.

    anyway, why are you storing your password in the file? you should store it externally in a non-public location (preferably a mysql db). also, you shouldn't store the password itself but the md5 hash value of the password. then compare md5($_POST['password']) to the md5 of your password.

    also, you should be checking for positive matches to verify authentication. not the other way around.

  3. #3
    By single quotes, do you mean this?
    PHP Code:
    echo("<table width='5' height='6'></table>"); 
    I don't understand your "other way around" logic. Isn't !TRUE == FALSE and !FALSE == TRUE. So what's the dealio, yo?
    Last edited by NeoDreamer; January 30th, 2007 at 03:35 PM.

  4. #4
    by single quotes, i mean this:
    PHP Code:
    // fast clean
    echo 'here is my image: <img src="'.$imgURL.'" />';
    echo 
    'more text';

    // slow and ugly
    echo "here is my image: <img src=\"$imgURL\" />"
    i actually wrote about it in this blog post.

    anyway, i think the way you have the logic coded just makes it confusing. i think it's better to say, "does this password match? if no, then login failed." rather than, "does this password not match? if no, then login successful."

  5. #5

    meh

    Meh ,
    i think its crap.

    first of all functions are to put something in it, and also to not return output in the function
    rather return a var or array or a boolean

    so better would be:

    Code:
     
    function LoginForm()
    {
    $form = '';
    $form = '<form ...etc';
     
    return $form;
    }
     
    function LoginCheck($_PostArray)
    {
    return ($_PostArray['value'] == "password") ? true : false;
     
    /*
    // or more adv
    $errors = array();
    if ($_PostArray['value'] != "password")
    {
    $errors[]="password dont match";
    }
    // add more 
     
    if (isset($errors) && count($errors) > 0 )
    {
    return $errors;
    }else{
    return true;
    }
    */
    }
     
     
     
    if ($_SERVER['REQUEST_METHOD'] == 'POST')
    {
    if (LoginCheck($_POST) === TRUE)
    {
    // valid
    }else{
    // not valid
    }
    }else{
    // show form
    echo LoginForm();
    }
    Last edited by kenisfam; January 30th, 2007 at 04:23 PM.

  6. #6

  7. #7
    So is there any way for them to obtain the password if I keep it inside the PHP file?

  8. #8
    sure. for instance if you have an upload form somewhere else and don't protect against .php file uploads. so someone uploads a php file (which has code to display the PHP code from your password page), goes to that address, and like magic there's your code in full view with password and all.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012